Destination NAT Example—One-to-One Mapping
The most common mistakes when configuring NAT and security rules are the references to the zones and address objects. The addresses used in destination NAT rules always refer to the original IP address in the packet (that is, the pre-translated address). The destination zone in the NAT rule is determined after the route lookup of the destination IP address in the original packet (that is, the pre-NAT destination IP address).
The addresses in the security policy also refer to the IP address in the original packet (that is, the pre-NAT address). However, the destination zone is the zone where the end host is physically connected. In other words, the destination zone in the security rule is determined after the route lookup of the post-NAT destination IP address.
In the following example of a one-to-one destination NAT mapping, users from the zone named Untrust-L3 access the server 10.1.1.100 in the zone named DMZ using the IP address 192.0.2.100.
Before configuring the NAT rules, consider the sequence of events for this scenario.
- Host 192.0.2.250 sends an ARP request for the address 192.0.2.100 (the public address of the destination server).
- The firewall receives the ARP request packet for destination 192.0.2.100 on the Ethernet1/1 interface and processes the request. The firewall responds to the ARP request with its own MAC address because of the destination NAT rule configured.
- The NAT rules are evaluated for a match. For the destination IP address to be translated, a destination NAT rule from zone Untrust-L3 to zone Untrust-L3 must be created to translate the destination IP of 192.0.2.100 to 10.1.1.100.
- After determining the translated address, the firewall performs a route lookup for destination 10.1.1.100 to determine the egress interface. In this example, the egress interface is Ethernet1/2 in zone DMZ.
- The firewall performs a security policy lookup to see if the traffic is permitted from zone Untrust-L3 to DMZ.The direction of the policy matches the ingress zone and the zone where the server is physically located.The security policy refers to the IP address in the original packet, which has a destination address of 192.0.2.100.
- The firewall forwards the packet to the server out egress interface Ethernet1/2. The destination address is changed to 10.1.1.100 as the packet leaves the firewall.
For this example, address objects are configured for webserver-private (10.1.1.100) and Webserver-public (192.0.2.100). The configured NAT rule would look like this:
The direction of the NAT rules is based on the result of route lookup.
The configured security policy to provide access to the server from the Untrust-L3 zone would look like this:
NAT Policy Overview
NAT Policy Overview You configure a NAT rule to match a packet’s source zone and destination zone, at a minimum. In addition to zones, you ...
Source and Destination NAT Example
Source and Destination NAT Example In this example, NAT rules translate both the source and destination IP address of packets between the clients and the ...
Destination NAT Destination NAT is performed on incoming packets when the firewall translates a destination address to a different destination address; for example, it translates ...
Configure NAT Perform the following tasks to configure various aspects of NAT. In addition to the examples below, there are examples in the section NAT ...
DNS Rewrite for Destination NAT
Create a destination NAT policy rule for static translation that also rewrites the IPv4 address in a DNS response based on the NAT rule. ...
Virtual Wire Destination NAT Example
Virtual Wire Destination NAT Example Clients in the Untrust zone access the server using the IP address 198.51.100.100, which the firewall translates to 192.0.2.100. Both ...
Configure Destination NAT with DNS Rewrite
Create a destination NAT policy rule for static translation that also rewrites the IPv4 address in a DNS response based on the original or translated ...
Policies > NAT
Policies > NAT If you define Layer 3 interfaces on the firewall, you can configure a Network Address Translation (NAT) policy to specify whether source ...
IPv6-Initiated Communication IPv6-initiated communication to the firewall is similar to source NAT for an IPv4 topology. Configure NAT64 for IPv6-Initiated Communication when your IPv6 host ...